With the service endpoints created, we can now configure them so that our OpenStack services can utilize them. To do this, each service is configured with a username and password within a special service tenant. Configuring each service to have their own username and password allows for greater security, troubleshooting and, auditing within our environment. For each service that uses OpenStack Identity service for authentication and authorization, we then specify these details in their relevant configuration file, when setting up that service. Each service itself has to authenticate with keystone in order for it to be available within OpenStack. Configuration of that service is then done using these credentials. For example, for glance we specify the following in /etc/glance/glance-registry-api.ini, when used with OpenStack Identity service, which matches what we created previously:
[filter:authtoken] paste.filter_factory = keystone.middleware.auth_token:filter_factory service_protocol = http service_host = 172.16.0.200 service_port = 5000 auth_host = 172.16.0.200 auth_port = 35357 auth_protocol = http auth_uri = http://172.16.0.200:5000/ admin_tenant_name = service admin_user = glance admin_password = glance
To begin with, ensure you're logged in to our OpenStack Controller host—where OpenStack Identity service has been installed—or an appropriate Ubuntu client that has access to where OpenStack Identity service is installed.
To log on to our OpenStack Controller host that was created using Vagrant, issue the following command:
vagrant ssh controller
If the keystone client tool isn't available, this can be installed on an Ubuntu client to manage our OpenStack Identity service, by issuing the following command:
sudo apt-get update sudo apt-get -y install python-keystoneclient
Ensure that we have our environment set correctly to access our OpenStack environment:
export ENDPOINT=1172.16.0.200 export SERVICE_TOKEN=ADMIN export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0
To configure an appropriate service tenant, carry out the following steps:
Create the
servicetenant as follows:keystone tenant-create \ --name service \ --description "Service Tenant" \ --enabled true
This produces output similar to what is shown as follows:
Record the ID of the
servicetenant, so that we can assign service users to this ID, as follows:SERVICE_TENANT_ID=$(keystone tenant-list \ | awk '/\ service\ / {print $2}')
For each of the services in this section, we will create the user accounts to be named the same as the services and set the password to be the same as the service name too. For example, we will add a user called
nova, with a passwordnovain theservicetenant, using theuser-createoption, as follows:keystone user-create \ --name nova \ --pass nova \ --tenant_id $SERVICE_TENANT_ID \ --email nova@localhost \ --enabled true
This will produce output similar to what is shown as follows:
We then repeat this for each of our other services that will use OpenStack Identity service:
keystone user-create \ --name glance \ --pass glance \ --tenant_id $SERVICE_TENANT_ID \ --email glance@localhost \ --enabled true keystone user-create \ --name keystone \ --pass keystone \ --tenant_id $SERVICE_TENANT_ID \ --emailkeystone@localhost \ --enabled true keystone user-create \ --name cinder \ --pass cinder \ --tenant_id $SERVICE_TENANT_ID \ --email cinder@localhost \ --enabled true
We can now assign these users the admin role in the service tenant. To do this, we use the
user-role-addoption after retrieving the user ID of thenovauser. For example, to add the admin role to thenovauser in the service tenant, we do the following:# Get the nova user id NOVA_USER_ID=$(keystone user-list \ | awk '/\ nova\ / {print $2}') # Get the admin role id ADMIN_ROLE_ID=$(keystone role-list \ | awk '/\ admin\ / {print $2}') # Assign the nova user the admin role in service tenant keystone user-role-add \ --user $NOVA_USER_ID \ --role $ADMIN_ROLE_ID \ --tenant_id $SERVICE_TENANT_ID
We then repeat this for our other service users, glance,keystone and cinder:
# Get the glance user id GLANCE_USER_ID=$(keystone user-list \ | awk '/\ glance\ / {print $2}') # Assign the glance user the admin role in service tenant keystone user-role-add \ --user $GLANCE_USER_ID \ --role $ADMIN_ROLE_ID \ --tenant_id $SERVICE_TENANT_ID # Get the keystone user id KEYSTONE_USER_ID=$(keystone user-list \ | awk '/\ keystone\ / {print $2}') # Assign the keystone user the admin role in service tenant keystone user-role-add \ --user $KEYSTONE_USER_ID \ --role $ADMIN_ROLE_ID \ --tenant_id $SERVICE_TENANT_ID # Get the cinder user id CINDER_USER_ID=$(keystone user-list \ | awk '/\ cinder \ / {print $2}') # Assign the cinder user the admin role in service tenant keystone user-role-add \ --user $CINDER_USER_ID \ --role $ADMIN_ROLE_ID \ --tenant_id $SERVICE_TENANT_ID
Creation of the service tenant, populated with the services required to run OpenStack, is no different from creating any other users on our system that require the admin role. We create the usernames and passwords and ensure they exist in the service tenant with the admin role assigned to each user. We then use these credentials when configuring the services to authenticate with OpenStack Identity service.